Just announced: HUMAN’s Satori Threat Intelligence and Research team has disrupted a cunning mobile advertising fraud campaign dubbed Konfety.

How Fake Account Creation Can Undermine Your Business

If it often seems as though there’s a lot of fake content across the internet, it’s because there is. Many types of online fraud—including fake content—originate by creating fake user accounts. It’s not hard to create one or two fake user accounts. You might have multiple accounts on one platform or another already. But this isn’t a story about second Twitter accounts, this is a story about thousands upon thousands of fake accounts.

Large-scale fraud, especially when the intent is to make something look popular or to represent a crowd, is often carried out through automated account creation. And anything that’s worth doing for a fraudster, like creating a fake account to use to post a fake product review, is worth scaling up and doing many, many times over. But rather than creating thousands of fake accounts manually, it’s the work of bots to create those accounts.

Sophisticated bots will often go through the account creation process to abuse incentive or discount programs, create and send spam, manipulate content, or even launder money through puppet (fake or compromised) accounts.

How is it done?

It’s the same way humans create accounts, only done much faster and more frequently with bots. The business logic of simple signup forms that require a username and password can be easily understood, making it possible to automate the signup process.  Fraudsters can even incorporate wait times on automated signup to more accurately mimic a human.

Fraudsters also often have access to even more complex bots-as-a-service. Those fraud services often charge based on the number of new accounts that are being created, as well as the inclusion of bundled add-ons, such as:

    • CAPTCHA breakers/bypassing: Many tools include CAPTCHA-solving services where CAPTCHAs are either sent to humans to solve, or are solved using machine learning and other clever bypass techniques.
    • Access to proxies: Proxy traffic enables a fraudster to route their traffic through a different location. For instance, a fraudster based in Brazil may route their traffic through residential devices in the U.S.
  • Purchase of bulk phone numbers: Some packages include the sale of bulk phone numbers so that signups for accounts that need to be tied to a phone number can be automated.
  • Auto-generated posts: Some bots generate content and post it when the account is created. For social media platforms, this gives the impression that the account is authentic and not a bot-driven account.


How does it pay?

Automated account creation can be monetized through a variety of means. One of the simplest examples is buying followers on social media platforms. If you went through the motions to buy 1,000 new followers, odds are most of those accounts were created and operated by a bot.

Incentive programs and limited-time discounts are another way for fraudsters to monetize their efforts. Many apps now offer referral fees or discounts to new users. Fraudsters who use bots to create a fleet of new accounts can take advantage of both and use a service for free–until they get caught.

Since bots and services can be purchased as a commodity, it is easy for fraudsters to operate like a business and find profit in these activities.

How to stop it

There are several steps companies can take today to reduce the risk of automated account creation on their web applications:

  • Implement anomaly-based detection

To start with, fraud and security analysts should monitor spikes in anomalous behavior. Has there been an influx in new registrations in a short timespan? Have many users been exhibiting similar behavior in a short timespan (such as posting five star reviews with similar wording)?

Identifying anomalous activities helps identify leads and to investigate potentially fraudulent accounts, and to shut them down retroactively.

  • Use honeypot fields in your registration forms
    A honeypot field is one that’s invisible to the eye, but that a bot can see. It’s supposed to be blank when filled out, but since bots can see the field, they’ll enter information into them when they submit.

    On the back end, you can set up logic that takes any new account with information in the honeypot field and route it to a list for manual inspection or deletion.

  • Identify sophisticated bot traffic on account registration flows

The most effective way to stop automated account creation is to detect and mitigate the automation in the first place. This is easier said than done. While tools like CAPTCHA may catch basic bots and automated scripts, they can be bypassed with ease.

Since bots-for-sale services offer access to compromised machines across the world, advanced detection is needed so that you can detect bot activity that stems from the same device as genuine human behavior, no matter where the request originated.

HUMAN identifies sophisticated bots that attempt to go through the account creation process so you can prevent automated account creation and maintain the integrity of your applications. 

To learn how our approach is different, get a complimentary copy of Enterprise Strategy Group’s Solution Showcase: Securing Applications from Sophisticated Bot Attacks with HUMAN.